Skip to main content

Elixir Plug EUVDEUVD-2026-42873

| CVE-2026-56814 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-10 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
6.9
CVSS 4.0 · Vendor: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Share

Severity by source

Vendor (6b3ad84c-e1a6-4bf7-a703-f496b71e49db) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable, unauthenticated, zero-complexity attack; A:H because a single request can fully exhaust inodes, disk, and memory, crashing the application.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (6b3ad84c-e1a6-4bf7-a703-f496b71e49db).

CVSS VectorVendor: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 13:01 EUVD
Analysis Generated
Jul 10, 2026 - 12:36 vuln.today

DescriptionCVE.org

Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part body bytes; part header bytes are never counted, and a part with an empty body costs zero.

Because every part whose Content-Disposition carries a non-empty filename creates a fresh temporary file (via Plug.Upload) and retains a Plug.Upload struct for the duration of the request, an attacker can send a single request composed of many empty-body file parts. Such a request stays well under the configured :length limit (8,000,000 bytes by default) while creating one temporary file per part, leading to inode and disk exhaustion and unbounded memory growth. Any application using Plug.Parsers with the :multipart parser is affected, and no authentication is required, only reachability of a multipart endpoint over HTTP.

This vulnerability is associated with program files lib/plug/parsers/multipart.ex and program routines Plug.Parsers.MULTIPART.parse_multipart/2, Plug.Parsers.MULTIPART.parse_multipart_headers/5, Plug.Parsers.MULTIPART.parse_multipart_body/4, and Plug.Parsers.MULTIPART.parse_multipart_file/4.

This issue affects plug: from 1.4.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, and from 1.20.0 before 1.20.3.

AnalysisAI

Denial of service in Elixir's Plug library (versions 1.4.0 through 1.20.2) allows unauthenticated remote attackers to exhaust filesystem inodes, disk space, and server memory via a single crafted multipart HTTP request. The Plug.Parsers.MULTIPART component charges its configurable :length limit only against part body bytes, meaning part headers are never counted and parts with empty bodies cost exactly zero - yet each such part with a filename triggers creation of a Plug.Upload struct and a real temporary file on disk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable multipart endpoint
Delivery
Craft HTTP POST with thousands of empty-body file parts
Exploit
Submit single request under :length limit
Execution
Server creates one temporary file per part via Plug.Upload
Persist
Filesystem inodes and disk exhausted
Impact
Application denies service to all users

Vulnerability AssessmentAI

Exploitation The only prerequisite is HTTP reachability of an endpoint that uses Plug.Parsers with the :multipart parser - which includes any file upload form in a Phoenix or Plug-based application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 6.9 (Medium) with VA:L understates the practical impact for resource-constrained or high-traffic deployments: the description explicitly states the attack leads to inode and disk exhaustion and unbounded memory growth from a single request, which is characteristic of a high availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a public file-upload endpoint on a Phoenix application and sends a single HTTP POST with Content-Type: multipart/form-data containing several thousand MIME parts, each consisting only of headers (Content-Disposition: form-data; name="f"; filename="x") followed by an empty body. The total request body remains well under the default 8MB :length limit while the server creates thousands of temporary files, rapidly consuming filesystem inodes and disk space, and accumulating Plug.Upload structs in memory until the application process crashes or the OS rejects further file creation.
Remediation Upgrade to a patched release: plug 1.16.6, 1.17.4, 1.18.5, 1.19.5, or 1.20.3, depending on your current minor line. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy